Professional Documents
Culture Documents
Step-By-Step Guide To Managing Multiple Local Group Policy O
Step-By-Step Guide To Managing Multiple Local Group Policy O
Policy Objects
Securing computers and users' desktops is an important responsibility of the IT administrator.
Today's computing environment provides users with hundreds, if not thousands, of configurable
settings. Some of these settings are harmless while others could keep help desk staff busy. Domain
administrators solve these tough problems using Group Policy. How do you solve this problem for
stand-alone computers? Microsoft Windows Vista solves this problem by introducing Multiple Local
Group Policy objects.
Multiple Local Group Policy objects (MLGPO) is a new feature included in Windows Vista that
improves previous Local Group Policy technology found in Microsoft® Windows® XP. MLGPOs allow
an administrator to apply different levels of Local Group Policy to local users on a stand-alone
computer. This technology is ideal for shared computing environments where domain-based
management is not available, such as shared library computers or public Internet kiosks
This guide includes a series of step-by-step scenarios to show how to set up Multiple Local Group
Policy objects on a stand-alone computer running Windows Vista. These scenarios, when done in
succession, will show you the power and flexibility of Multiple Local Group Policy objects, and will
give you an understanding of MLGPOs and how to introduce them in your environment.
Note:
Technology Review
Local Group Policy is a subset of a broader technology known as Group Policy. Group Policy is
domain based while Local Group Policy is specific to the local computer. Both technologies allow
administrators to configure specific settings in the operating system and then force those settings to
computers and users. Local Group Policy is not as robust as Group Policy. For example, Group Policy
allows administrators to configure any number of policies that could affect some, all, or none of the
users of a domain-joined computer. Group Policy could even apply policies to users that have
specific group memberships. However, Local Group Policy could only apply one policy to the
computer and all the local users of the computer, even the local administrator. This made managing
the stand-alone computer difficult because the same policy applied to the administrator and the
users.
Windows Vista introduces Multiple Local Group Policy objects, an improvement over the previous
version of Local Group Policy that gives stand-alone computer administrators the ability to apply
different Group Policy objects to stand-alone users. Windows Vista provides this ability with three
layers of Local Group Policy objects: Local Group Policy, Administrator and Non-Administrators
Group Policy, and user specific Local Group Policy. These layers of Local Group Policy objects are
processed in order, starting with Local Group Policy, continuing with Administrators and Non-
Administrators Group Policy, and finishing with user-specific Local Group Policy.
Processing order
The benefits of Multiple Local Group Policy objects come from the processing order of the three
separate layers. The Local Group Policy object applies first. This Local Group Policy object may
contain both computer and user settings. User settings contained in this policy apply to all users,
including the local administrator. Next, Windows applies Administrators and Non-Administrators
Local Group Policy objects. These two Local Group Policy objects represent a single layer in the
processing order, and the user receives one or the other. Neither of these Local Group Policy objects
contains computer settings. Windows finishes processing Local Group Policy objects by applying
user-specific Local Group Policy. This last layer of Local Group Policy objects contains only user
settings, and you apply it to one specific user on the local computer.
To summarize, Windows applies Local Group Policy objects first, then the Administrators or Non-
Administrators Local Group Policy objects, and finally the user-specific Local Group Policy objects.
Guide Requirements
This guide requires you to have one computer running Windows Vista or later. You can read the
most current hardware requirements at the Windows Vista Web site
Prerequisites
Create a non-administrative user account
2. Open the Start menu. Right-click Computer, and then click Manage.
5. Type the name of the user you will use in scenarios included in this guide. For example, if you want to name the user
"webuser1" then you would type webuser1 in the Username box and in the Full name box.
6. Type a password you will remember in the Password and Confirm Password boxes. For example, if you choose to
use "Password1" for the password, then you would type Password1 in both the Password and Confirm Password
boxes.
Important:
Passwords are case sensitive. The password you type in the Password and Confirm
Password boxes must match to add the user account.
7. Clear the User must change password at next logon check box.
8. Select the Password never expires and User cannot change password check boxes.
9. Click Create, and then click Close. Click File, and then click Exit.
1. Log on to the workstation with the user account you created in the "Create a non-administrative user account"
procedure. Close any startup applications, if this is the first time you are logging in with this user on this computer.
Note that icons appear on the desktop.
2. Open the Start menu and make note of the icons displayed.
3. Right-click the taskbar. Note the shortcuts that appear in the shortcuts menu.
4. Click Start, click All Programs, click Accessories, and then click Run. Notice how the Run dialog appears. Click
Cancel.
5. Open the Start menu, right-click Internet Explorer, and then click Internet Properties. The Internet Control Panel
appears. Make a note of all the tabs on this dialog box, specifically the Connections tab.
1. Log on to the workstation using the administrative account you created during the installation of Windows Vista.
Click Start, click All Programs, click Accessories, and then click Run. Type mmc.exe and click OK.
2. In the Console1 window, click File, and then click Add/Remove Snap-in.
3. In the Add/Remove Snap-in dialog box, in the Available snap-ins list, click Group Policy Object Editor, and
then click Add.
4. In the Select Group Policy Object dialog box, ensure Local computer appears under Group Policy Object. Click
Finish.
5. Click Group Policy Object Editor under the Available standalone snap-ins list and then click Add.
6. In the Select Group Policy Object dialog box, click Browse. Click the Users tab. Click the Non-Administrators
group. Click OK. Click Finish.
7. Click Group Policy Object Editor under the Available standalone snap-ins list and then click Add.
8. In the Select Group Policy Object dialog box, click Browse. Click the Users tab. Click the Administrators group.
Click OK. Click Finish. Click OK.
9. Click Group Policy Object Editor under the Available standalone snap-ins list and then click Add.
10. In the Select Group Policy Object dialog box, click Browse. Click the Users tab. Click the name of the
administrative user you created during the installation of Windows Vista. For example, if you named your
administrative user LocalAdminUser, then click LocalAdminUser. Click OK. Click Finish. Click OK.
11. In the Console1 window, click File, click Save, and then click Desktop. Type MLGPO in the filename text box and
click Save.
Note:
You can start the custom management console by double-clicking the MLGPO icon located
on your desktop.
The policy settings in these scenarios change visual elements within the user environment, making
it easier to notice changes for each Local Group Policy object. These policy settings are not the
recommended policy settings for a kiosk scenario and are likely to change with each kiosk
environment. Administrators should carefully consider all policy settings to decide which policy
settings are proper for their environment.
Note:
Local Computer Policy is also known as Local Group Policy in previous versions of Windows.
1. Log on as the administrative user you created during the installation of Windows Vista. Double-click the MLGPO icon
on your desktop that you created during the prerequisite portion of this document.
2. Click Local Computer Policy. Click the arrow next to Administrative Templates under the User Configuration
node.
3. Click the arrow next to Windows Components and Internet Explorer. Click Internet Control Panel. Note the
details pane shows all policies as Not Configured.
4. Use Appendix A to define each policy setting. When finished, close the MLGPO console by clicking File and then
clicking Exit. If prompted to save the console, click No.
You have successfully defined policy settings in the Local Group Policy object. Now, check the
results of the policy settings you performed in the Local Group Policy.
Check the results of the Local Group Policy object
In the "Local Group Policy scenario," you imposed policy settings that disabled specific tabs in the
Internet Control Panel. The following procedure guides you through the user interface to view the
results of the policy settings contained in the Local Group Policy object.
Check the results
1. Log off of the computer. Log on to the computer using the user account created in the "Create a non-administrative
user account" procedure.
2. Open the Start menu. Right-click Internet Explorer, and then click Internet Properties. The Internet Control Panel
will appear with text that reads, "Access to this feature has been disabled by a restriction set by your system
administrator."
3. Log off of the computer. Log on to the computer as the local administrative user. Perform step 2 again.
The "Local Group Policy scenario" shows you that Windows prevents access to the Internet Control
Panel for the local administrative user and a normal user of the computer by using the Local Group
Policy object.
. These policy settings will change the behavior of the Start menu and taskbar.
Define Non-Administrators Local Group Policy
1. Log on to the workstation with the local administrative user account you created during the installation of Windows
Vista..
3. Click the arrow next to Administrative Templates under User Configuration. Click Start Menu and Taskbar.
4. Use the list of policy settings in Appendix B to define each policy setting. When finished, close the MLGPO
console by clicking File and then clicking Exit. If prompted to save the console, click No.
You have successfully configured policy settings for the Non-Administrators Local Group Policy
object. Check the results of adding the Non-Administrators Local Group Policy object and see how it
works with the Local Group Policy object.
Check the results of the Non-Administrators Local Group Policy object
In the "Non-Administrators Local Group Policy scenario," you enabled user settings in the Non-
Administrators Local Group Policy object. These procedures help you review the effects the Non-
Administrators Local Group Policy object have on a local user and the local administrator. Icons
appeared on the Desktop and Start menu before implementing the Non-Administrators Local Group
Policy. After creating the policy, icons do not appear on the Desktop and Start menu. Also, shortcut
menus are not available. This confirms you successfully created the Non-Administrators Local Group
Policy.
Check the results
1. Log on to the workstation with the previously created user account. Icons do not appear on the desktop.
2. Open the Start menu. Icons are not displayed on the Start menu.
3. Right-click the taskbar. Notice that the shortcut menu does not appear.
4. Click Start, click All Programs, click Accessories, and then click Run. A warning dialog appears stating the system
administrator has disabled the Run menu.
5. Log off of the computer. Log on as the local administrator you created during the installation of Windows Vista.
6. Repeat steps 3–5. Notice the different behavior in the Start menu and taskbar between a local user and the local
administrator
7. Open the Start menu. Right-click Internet Explorer, and then click Internet Properties. The Internet Control Panel
appears with text that reads, "Access to this feature has been disabled by a restriction set by your system
administrator."
In the "Non-Administrators Local Group Policy scenario," you added policy settings to the Non-
Administrators Local Group Policy that changed the behavior of the Start menu and taskbar. Non-
administrative users did not have icons on their desktop or in their Start menu. Also, you removed
non-administrative users' ability to use shortcut menus on the taskbar and the Run command.
Administrative users have icons on their desktop and Start menu. Taskbar shortcut menus and the
Run command work properly. However, Windows still restricts administrative users from access to
the Internet Control Panel. This restriction persists because you enabled it in the Local Group Policy
and it applies to all local users. Non-administrative users are still affected by this policy; however,
they are further restricted from accessing the Internet Control Panel because the icon is not
present.
1. Open the MLGPO console, and then click Local Computer\Administrators Policy.
2. Click the arrow next to the Administrative Templates under User Configuration.
3. Click Start Menu and Taskbar. The details pane shows all policies as Not configured.
4. In the details pane, double-click the Add the Run command to the Start Menu policy setting.
5. In the Add the Run command to the Start Menu dialog box, click Enabled. Click OK to finish.
You have successfully configured the Administrators Local Group Policy object. In this scenario, you
added a single policy setting for all Administrators. Check the results of adding the Administrators
Local Group Policy object and note how it works with the existing Local Group Policy.
Check the results of the Administrators Local Group Policy object
This policy setting adds the Run command to the Start menu. Use the following procedures to
discover the effects this new Local Group Policy object has on the local administrator and user.
Check the results
1. Log on to the computer as the local administrative user you created during the installation of Windows Vista.
2. Open the Start menu. The Run command is located on the lower right of the Start menu.
3. Open the Start menu. Right-click Internet Explorer, and then click Internet Properties. The Internet Control
Panel appears with text that reads, "Access to this feature has been disabled by a restriction set by your system
administrator."
5. Repeat steps 1 and 2. Non-administrative users do not have the Run command on the Start menu.
In the "Administrators Local Group Policy scenario," you added the policy setting to add the Run
command from the Start menu to the Administrators Local Group Policy object. Then, as an
administrator, you opened the Start menu to reveal the Run command. This scenario shows how
you can set policy settings that apply only to local administrators. However, even as a local
administrative user, you cannot access the Internet Control Panel because of the Local Group Policy
object. Windows restricts non-administrative users' ability to invoke taskbar context menus, the Run
command, and icons on the desktop or Start menu. If the icon were present, the non-administrative
user would still not have access to the Internet Control Panel.
To review, in the first scenario, you disabled access to the Internet Control Panel in the Local Group
Policy object. The results so far show the Local Group Policy is affecting administrative and non-
administrative local users. Next, you enabled policy settings that restrict icons from the Desktop
and the Start menu in the Non-Administrators Local Group Policy object. You viewed the results of
these policy settings when the non-administrative user no longer had icons on their desktop or on
the Start menu. However, none of these settings affected the administrative user, showing that the
Non-Administrators Local Group Policy object is applying to users as its name suggests. In the last
scenario, you used the Administrators Local Group Policy object to add the Run command to the
Start menu. The results show Windows is applying this policy to administrative users only.
Group Policy Settings and create a user-specific Local Group Policy object for the local
administrative user account you created during the installation of Windows Vista.
Note:
You should follow "Local Group Policy scenario" before following the current scenario. The policy
settings in this scenario conflict with policy settings enabled in "Local Group Policy scenario." This
scenario adds the Advanced, Content, General, Privacy, Programs, and Security tabs to the
Internet Control Panel that you removed previously in "Local Group Policy scenario."
1. Log on to the computer with the local administrative account you created during the installation of Windows Vista.
2. Open the MLGPO console, and then click the node containing the name of the local administrative user account you
created during the installation of Windows Vista. For example, if you named the user "LocalAdminUser," then you
would click Local Computer\LocalAdminUser.
3. Click the arrow next to Administrative Templates under User Configuration. Click the arrow next to Windows
Components and Internet Explorer. Click Internet Control Panel.
4. Refer to Appendix C to define each policy setting. When finished, close the MLGPO console by clicking File and
then clicking Exit. If prompted to save the console, click No.
1. Log on to the computer with the local administrative user account you created during the installation of Windows
Vista.
2. Open the Start menu. Right click Internet Explorer. Click Internet Properties. Windows displays the Internet
Control Panel and all the tabs except the Connections tab.
3. Open the Start menu. The Run command is located on the lower right of the Start menu.
The Local Group Policy scenario prevented a local administrative user from opening the Internet
Control Panel. Windows applies the user-specific Local Group Policy for the Administrator last and
therefore has precedence over conflicting settings. This behavior allows only the specific
administrative user access to the Internet Control Panel. The absence of the Connections tab within
the Internet Control Panel shows Windows is still applying the Local Group Policy.
These scenarios show one of many ways you can configure Multiple Local Group Policy objects. You
can use Local Group Policy to set global limits and then use the Administrators, Non-Administrators,
and user-specific Local Group Policy objects to remove the limits. Alternatively, you can use each
Local Group Policy to restrict the respective group or user it applies to.
1. Log on to the computer with the local administrative user account you created during the installation of Windows
Vista.
2. Double-click the MLGPO icon on the desktop. Click File, and then click Add/Remove snap-in.
3. Click Group Policy Object Editor under the Available standalone snap-ins list, and then click Add.
4. In the Select Group Policy Object dialog box, click Browse. Click the Users tab. Right-click the Administrators
group. Click Remove Group Policy Object.
5. Click Yes to confirm the deletion of the Local Policy object. The text located in the Group Policy Object Exists
column next to Administrators will display No.
7. Click File, and then click Exit to close the MLGPO console. Click No, if prompted to save the console.
1. Log on to the computer as the local administrative user you created during the installation of Windows Vista.
2. Open the Start menu. The Start menu no longer shows the Run command that you defined in the "Administrators
Local Group Policy scenario."
Summary
Windows Vista introduces greater flexibility in managing Local Group Policy objects, providing the
means to manage Multiple Local Group Policy objects on a single computer. This increased flexibility
eases managing environments that involve shared computing on a single computer—such as
libraries or computer labs—allowing each computer to keep its own policy settings. In Windows
Vista, this flexibility is manifested through computer, group, and user-specific Local Group Policy
objects, making Multiple Local Group Policies the ideal Group Policy Management solution for stand-
alone computers.
Top of page
Appendix B: Non-Administrators Local Group Policy Settings
You should not change any policy settings that do not appear in this appendix. Changing additional
policy settings may alter the results of the scenarios described in this guide.
Start Menu and Taskbar Remove user's folders from the Start Menu Enabled
Start Menu and Taskbar Remove links and access to Windows Update Enabled
Start Menu and Taskbar Remove common program groups from Start Menu Enabled
Start Menu and Taskbar Remove Documents icon from Start Menu Enabled
Start Menu and Taskbar Remove Network Connections from Start Menu Enabled
Start Menu and Taskbar Remove Favorites menu from Start Menu Enabled
Start Menu and Taskbar Remove Search link from Start Menu Enabled
Start Menu and Taskbar Remove Help menu from Start Menu Enabled
Start Menu and Taskbar Remove Run menu from Start Menu Enabled
Start Menu and Taskbar Remove Pictures icon from Start Menu Enabled
Start Menu and Taskbar Remove Music icon from Start Menu Enabled
Start Menu and Taskbar Remove Network icon from Start Menu Enabled
Start Menu and Taskbar Remove and prevent access to the Shut Down command Enabled
Start Menu and Taskbar Remove Drag-and-drop menus on the Start Menu Enabled
Start Menu and Taskbar Prevent changes to Taskbar and Start Menu Settings Enabled
Start Menu and Taskbar Remove access to the context menus for the taskbar Enabled
Start Menu and Taskbar Do not keep history of recently opened documents Enabled
Start Menu and Taskbar Clear history of recently opened documents on exit Enabled
Start Menu and Taskbar Remove Balloon Tips on Start Menu items Enabled
Start Menu and Taskbar Remove pinned programs list from the Start Menu Enabled
Start Menu and Taskbar Remove the "Undock PC" button from the Start Menu Enabled
Start Menu and Taskbar Do not display any custom toolbars in the taskbar Enabled
Desktop Remove Properties from the Recycle Bin context menu Enabled
Top of page
Appendix C: User-Specific Local Group Policy Settings
You should not change any policy settings that do not appear in this appendix. Changing additional
policy settings may alter the results of the scenarios described in this guide.
Internet Explorer\Internet Control Panel Disable the Connections page Not Configured